The more time we spend trying to build new things or get work that matters done, the more mistakes we are inevitable going to make.
I’ve come to realize that the key is to not let the chatter (both external and internal) about the mistakes and the stuff that is broken to get in the way of showing up every day with enthusiasm.
Every day, we get the opportunity to solve puzzles that involve continually prioritizing between fixing what’s broken, plugging short term gaps, and investing in the long term. We get to do this in our products, in our communities, in our families, and within ourselves.
We (and what we build) are always going to be work in progress. Once we accept that, it follows that the best thing we can do is to make the most of that opportunity and continue to earn it every day.
In the long run, it turns out that becoming is far more important than being.
They walk among us in just about every office: People with their laptops open, bound for conference rooms and common areas, many keeping their devices ajar to avoid losing those precious few seconds of computer wake-up time.
While we cloak our phones in shock-proof plastic and their screens with tempered-glass shields, laptops rarely get similar protection. Considering these pieces of hardware are some of the most expensive items we work with, it’s a little shocking to see how cavalier we can be toward our one essential work device.
But since when has safety outweighed looking cool?
Over the past few weeks, we’ve been observing Quartzians in their natural habitat and have tried to make sense of their odd office rituals in porting their laptops from one meeting to the next. Here are some of our findings.
This is some silly fun. I know which one I am (“The Clutch”) and which I’d like to be (“The Vacationer”).
Here’s my list, in order, of what drives behavior in the modern, privileged world:
Cognitive load (and the desire for habit and ease)
Greed (fueled by fear)
The five are in an eternal dance, with capitalist agents regularly using behavioral economics to push us to trade one for the other. We’re never satisfied, of course, which is why our culture isn’t stable. We regularly build systems to create habits that lower the cognitive load, but then, curiosity amplified by greed and fear (plus our search for connection and desire to love) kick in and the whole cycle starts again.
I like Seth’s set up for this but not the corporate entity as the example. Here’s a sanitised version:
…without habits, every decision requires attention. And attention is exhausting.
And it’s stressful because the choices made appear to be expensive. There’s a significant opportunity cost to doing this not that. … what are you going to skip? What if it’s not worth the [time or wait]? What are you missing?
It’s all fraught. We feel the failure of a bad choice in advance, long before we discover whether or not it was actually bad.
What consistently good communicators do: Prepare thoroughly, show up on time, seek to understand, be thoughtful about their contributions, pay attention to non-verbal cues, and follow up.
When they do all of this, they succeed in reaching the people they’re speaking to in the right context – unerringly.
It turns out that being a consistently good communicator is largely determined by what we do when we’re not trying to communicate.
This post came out a while ago. I was reminded to write about it when I saw the 16 April Daily Stoic entry, OBSERVE CAUSE AND EFFECT:
“Pay close attention in conversation to what is being said, and to what follows from any action. In the action, immediately look for the target, in words, listen closely to what’s being signaled.” —MARCUS AURELIUS, MEDITATIONS, 7.4
To both quotes, there is an undercurrent of presence, of being in the moment when communicating. Being distracted by a laptop, tablet, or phone takes away from that presence.
The other undercurrent is that communication is, by definition, bidirectional (or full duplex for the networking nerds out there). It’s funny to me how many people forget that.
Cyber Security—also called Information Security, or InfoSec—is arguably the most interesting profession on the planet. It requires some combination of the attacker mentality, a defensive mindset, and the ability to constantly adapt to change. This is why it commands some of the highest salaries in the world.
“Cyber” vs. Information Security
One of the most common questions in the computer security industry is the difference between Cybersecurity and Information Security. The short answer is, “not much”. But the long answer is, well…longer.
Essentially, “Cyber” is a word from pop culture that actually fit our digital future fairly well, with the merging of humans and technology and society. In the beginning, “CyberSecurity” was used as a way to glamorize or sensationalize computer security, but over time people started using it in more and more serious conversations. And now we’re stuck with it.
If I had to give any distinction today (2019) it would be that Cybersecurity is a bit larger in scale than Information Security.
Read on in Daniel’s article for how he breaks Security down.
In general I think his taxonomy is spot on for the difference between Information Security (InfoSec) and Cyber Security. I am one of the people he references here:
People who’ve been in Information Security for a long time tend to really dislike the word “cyber” being used in a non-ironic way to describe what we do. But we’re getting over it.
I don’t always agree with Daniel’s writing, but this is a nice index.
This was a common topic on the late lamented PVC Security podcast. Let’s dive in!
The chief information security officer (CISO) is the executive responsible for an organization’s information and data security. While in the past the role has been rather narrowly defined along those lines, these days the title is often used interchangeably with CSO and VP of security, indicating a more expansive role in the organization.
Ambitious security pros looking to climb the corporate latter may have a CISO position in their sights. Let’s take a look at what you can do to improve your chances of snagging a CISO job, and what your duties will entail if you land this critical role. And if you’re looking to add a CISO to your organization’s roster, perhaps for the first time, you’ll want to read on as well.
What does a CISO do? Perhaps the best way to understand the CISO job is to learn what day-to-day responsibilities that fall under its umbrella. While no two jobs are exactly the same, Stephen Katz, who pioneered the CISO role at Citigroup in the ’90s, outlined the areas of responsibility for CISOs in an interview with MSNBC. He breaks these responsibilities down into the following categories:
Security operations: Real-time analysis of immediate threats, and triage when something goes wrong
Cyberrisk and cyber intelligence: Keeping abreast of developing security threats, and helping the board understand potential security problems that might arise from acquisitions or other big business moves
Data loss and fraud prevention: Making sure internal staff doesn’t misuse or steal data
Security architecture: Planning, buying, and rolling out security hardware and software, and making sure IT and network infrastructure is designed with best security practices in mind
Identity and access management: Ensuring that only authorized people have access to restricted data and systems
Program management: Keeping ahead of security needs by implementing programs or projects that mitigate risks — regular system patches, for instance
Investigations and forensics: Determining what went wrong in a breach, dealing with those responsible if they’re internal, and planning to avoid repeats of the same crisis
Governance: Making sure all of the above initiatives run smoothly and get the funding they need — and that corporate leadership understands their importance
What does it take to be considered for this role? Generally speaking, a CISO needs a solid technical foundation. Cyberdegrees.org says that, typically, a candidate is expected to have a bachelor’s degree in computer science or a related field and 7-12 years of work experience (including at least five in a management role); technical master’s degrees with a security focus are also increasingly in vogue. There’s also a laundry list of expected technical skills: beyond the basics of programming and system administration that any high-level tech exec would be expected to have, you should also understand some security-centric tech, like DNS, routing, authentication, VPN, proxy services and DDOS mitigation technologies; coding practices, ethical hacking and threat modeling; and firewall and intrusion detection/prevention protocols. And because CISOs are expected to help with regulatory compliance, you should know about PCI, HIPAA, NIST, GLBA and SOX compliance assessments as well.
But technical knowledge isn’t the only requirement for snagging the job — and may not even be the most important. After all, much of a CISO’s job involves management and advocating for security within company leadership. IT researcher Larry Ponemon, speaking to SecureWorld, said that “the most prominent CISOs have a good technical foundation but often have business backgrounds, an MBA, and the skills needed to communicate with other C-level executives and the board.”
Paul Wallenberg, Senior Unit Manager of Technology Services at staffing agency LaSalle Network, says that the mix of technical and nontechnical skills by which a CISO candidate is judged can vary depending on the company doing the hiring. “Generally speaking, companies with a global or international reach as a business will look for candidates with a holistic, functional security background and take the approach of assessing leadership skills while understanding career progression and historical accomplishments,” he says. “On the other side of the coin, companies that have a more web and product focused business lean on hiring specific skillsets around application and web security.”
As you climb the ladder in anticipating a jump to CISO, it doesn’t hurt to burnish your resume with certifications. As Information Security puts it, “These qualifications refresh the memory, invoke new thinking, increase credibility, and are a mandatory part of any sound internal training curriculum.” But there are a somewhat bewildering number to choose from — Cyberdegrees.org lists seven. We asked Lasalle Network’s Wallenberg for his picks, and he gave us a top three:
“Certified Information Systems Security Professional (CISSP) is for IT professionals seeking to make security a career focus.”
“Certified Information Security Manager (CISM) is popular for those who are looking to climb the ladder within the security discipline and transition into leadership or program management.”
“Certified Ethical Hacker (CEH) is for security professionals looking to obtain an advanced awareness of issues that can threaten enterprise security.”
CISO vs. CIO vs. CSO
Security is a role within an organization that inevitably butts heads with others, since a security pro’s instincts are to lock down systems and make them harder to access — something that can conflict with IT’s job of making information and applications available in a frictionless way. The way that drama plays out at the top of the org chart can be as a CISO vs. CIO battle, and the contours of that fight are often established by the lines of reporting within an organization. (CSO discussed this in depth in the article “Does it matter who the CISO reports to?”) Even though both titles have “C” in the name, it’s relatively common for CISOs to report to CIOs, which can constrain CISO’s ability to execute strategically, as their vision ends up being subordinated to the CIO’s overall IT strategy. CISO’s definitely gain clout when they report directly to the CEO or the board, which is becoming an increasingly common practice. This might involve a change of title — according to the Global State of Information Survey 2018, CISOs are more likely to be subordinated to a CIO, whereas a security exec with the title of Chief Security Officer (CSO) is more likely to be on the same level as the CIO — and to have non-tech security responsibilities to boot.
Placing CIOs and CISOs on equal footing can help tamp down conflict, not least because it sends a signal to the whole organization that security is important. But it also means that the CISO can’t simply be a gatekeeper vetoing technical initiatives. As Ducati CIO Piergiorgio Grossi told i-CIO magazine, “it’s up to the CISO to help the IT team provide more robust products and services rather than simply saying ‘no.'” This shared responsibility for strategic initiatives changes the dynamics of the relationship — and can mean the difference between success and failure for new CISOs.
CISO job description
If you’re part of a search for a promising CISO for your organization, part of that involves writing a job description — and much of what we’ve discussed so far lays the foundation for how you’d approach that. “Companies first decide if they want to hire a CISO and obtain approvals for the level, reporting structure, and official title for the position — in smaller companies, CISOs can be VPs or Director of Security,” says Lasalle Network’s Wallenberg. “They also need to set the minimum requirements and qualifications of the role, and then go to market for external candidates or post for internal applicants.”
CSO Senior Editor Michael Nadeau lays out in some detail how you’d approach writing a CISO job description. One of the important things he points out is that your description should make your organization’s commitment to security very clear from the get-go, because that’s how you’re going to attract a high-quality candidate. You should highlight where the new CISO will end up on the org chart and how much board interaction they’ll have to really make this point clear. Another important point he makes is to keep the job description fresh, even if you have someone in the role — after all, you never know when that person will move on to another opportunity, and this is a crucial job that you don’t want to leave unstaffed.
If you check out Glassdoor, you can see salary ranges for current CISO job openings, which can help you get a sense of which sectors pay more or less. For instance, at this writing there’s an open CISO position in the federal government that pays between $164,000 and $178,000, and one at the University of Utah that pays between $230,000 and $251,000.
The CISO job landscape is always changing, and CSO has plenty of material to keep you up to date — how to get a CISO job, and how to navigate the career landscape. You might want to check out:
“A CISO’s guide to avoiding certain CISO jobs” : Not all CISO jobs are created equal, and some will set you up for failure that can have negative career implications down the line. Here’s some tips on red flags to watch out for.
“Why do CISOs change jobs so frequently?”: The average CISO only stays on the job for 24-48 months, according to market research. Find out what these fast moves mean for the industry and how you can react.
“What is a virtual CISO?”: C-level execs aren’t immune to the trend towards “on-demand” employees who work on part time contracts rather than occupying full-time positions. This article will explain what virtual CISOs can and can’t do, which is important if you’re competing against them for jobs — or want to become one yourself.
The CISO/CSO and analogs suffer from a short life span and a need to impress the Board of Directors. Most CISO’s are in poor situations at the start, and anyone who aspires to such a role needs to know the disadvantages,
The CISO/CSO often reports to the CIO, which is a conflict of interest. I generally recommend reporting to CEO directly or else the COO or CFO.
CISO/CSO roles require strong reporting managers and talented teams plus reliable managed security service providers. The best way to determine their value is by measuring them. Yet many enterprises I visit fail to measure even the most obviously valuable metrics but want their Top Ten lists.
This is a solid summary of the CISO role. If you target this in your career path, this article is useful.
Thank you for these magical words, Cleo Wade. This was one of my biggest energetic shifts, when moving to New York City, 20 years ago, realizing people don’t really complain here much. Complaining is draining. It truly has no magic. Hence my personal rule: “When I catch myself complaining about something repeatedly, I have two options: Do something about it or let it go.”
A complaint is a tool.
A complaint for the sake of complaining is wasted energy. A complaint as constructive criticism or with solution(s) adds value. To say one won’t complain means one will not effect change. How does that add value?
What makes a great manager isn’t the problems they solve, but the questions they ask. Start with these 16 questions here.
An employee comes to you and says, “I have a problem.” If you’re trying to be a great manager, what do you do?
Your initial instinct might be to roll up your sleeves. “Time to be the boss,” you think to yourself. You’re ready to step in, solve the problem and save the day.
Or something like that. You just want to be helpful.
In reality, your instinct is the opposite of helpful. Startlingly, when you jump in to solve a problem as a manager, it’s one of the biggest leadership mistakes you can make.
I was reminded of this counterintuitive concept when chatting with Wade Foster, CEO of Zapier, on our Heartbeat podcast. Though his company today is thriving with over 200 employees and over 2 million users, Wade admitted how he struggled in the early days as a CEO when an employee would come to him with a problem:
> “When you [jump in and try to solve the problem yourself] you’re actually mistaking your roles. You’ve hired this person to solve problems. And if they’re unable to solve the problem, you’ve probably hired the wrong person.”
In other words, your role as a manager is not to solve problems. It’s to help others solve problems, themselves. Leadership is stewardship. It’s navigating your team through treacherous waters, around jagged rocks, to the desired destination, and making sure folks feel nourished and rested along the way. But you can’t be a good steward if you’re scampering around trying to paddle all the oars faster, yourself. To take the boat analogy one step further, a great manager is a coxswain, not a rower.
This confusion of roles leads to a highly undesired outcome: You prevent your team from learning how to solve the problem. A dangerous reliance develops that hinges on your expertise, your “final word.” Your team never gets to fuss, flail, and figure out how to crack a nut with their own hands. When you’re the one thinking through all the problems, you’re teaching your team members to not think for themselves.
You also inadvertently slow your team down. Every problem – especially the “hard ones” – are re-routed to you. So what happens if you’re out of the office that week? Or, what if your plate is full? Well, that problem will just have to wait. And wait it does. You become a bottleneck, the inhibitor of your team. You funnel your team into single mode of dependency that’s difficult to undo.
The best leaders know this, and are keen to avoid this pitfall – so they do something else. They become the team’s accelerator. They help team members think for themselves.
How? By asking questions. Wade of Zapier adopted this practice as a CEO, describing it as a “more Socratic way” to helping his team solve problems. Ultimately, it leads to better results.
Ask questions and a team member can come to the answer themselves. Ask questions and the problem they’re facing becomes more lucid, less daunting. Ask questions and your team member might even come up with a better answer than you would have.
To be a great manager, here are 16 questions you can start with instead of jumping in to solve the problem yourself:
What do you see as the underlying root cause of the problem?
What are the options, potential solutions, and courses of action you’re considering?
What are the advantages and disadvantages to each course of action?
How would you define success in this scenario?
How do you know you will have been successful?
What would the worst possible case outcome be?
What’s the most likely outcome?
Which part of the issue or scenario seems most uncertain, befuddling, and difficult to predict?
What have you already tried?
What is your initial inclination for the path you should take?
Is there another solution that isn’t immediately apparent?
What’s at stake here, in this decision?
Is there an easier way to do what you suggested?
What would happen if you didn’t do anything at all?
Is this an either/or choice, or is there something you’re missing?
Is there anything you might be explaining away too quickly?
What you’ll notice when you ask these questions is that most employees already have an answer (or several answers!) to a given problem. But they were uncomfortable with it, or they were worried about getting it “wrong.”
Part of asking the questions isn’t just to help them think through the problem more clearly, but also to help them realize they know more than they think, they’re more capable than they think, and that they’ve mitigated the risks better than anticipated.
Your job as a leader isn’t to just help clarify thought process – but to give confidence in their thinking.
As Wade says, “You’re trying to just help them get to that realization that, ‘You know what to do.'”
After all, a great manager is centered on building the capabilities of their team, not their own capabilities
Don’t solve the problem, yourself. Claire is the CEO of Know Your Team – software that helps you become a better manager. Her company was spun-out of Basecamp back in 2014. If you were interested, you can read more of Claire’s writing on leadership on the Know Your Team blog.